OT: antivirus?
Eric Meyer
My apologies for going off-topic, but this list has always been a good source
of recommendations for straightforward, efficient software generally, even for
Windows. So, what's a good, simple, non-suite, low-impact antivirus solution
for XP? I've become increasingly frustrated with Norton AV (which my laptop
came with) and just let my "subscription" expire, only to discover that it's
no longer just a question of updates; now, the whole program simply stops
working until you pay up again! I call that extortion, so I just removed it
and am looking for a replacement.
Note that in 20+ years of using NAV I have never(!) encountered any threat
that triggered it. Common sense works pretty well on its own: I run a real
firewall (Comodo) with some malware defenses, and NoScript in Firefox, don't
use MS Outlook, Word, or IE, don't click on things without thinking, etc. So,
initially AVG and Comodo look pretty usable and non-extortionate, but how
badly do I need an AV at all?
-- Eric Meyer.
Moy Wong
I use ClamWin http://www.clamwin.com/ to scan files manually.
I'm wondering how successful you were at "removing" NAV. I understand
there's a lot of persistent, hard-to-remove elements left behind after
an uninstall.
Like you, I avoid any of the MS programs that utilize "macros," I am
careful to understand what I permit the OS to execute, be aware of
anything that can "auto execute," "auto-load" (especially for USB flash
drives now) etc. etc. etc.
That's probably still not enough these days, as websites routinely have
your browser download and execute plug-ins in order to display something
(often a video). Heck, having Java expose your PC's innards is a little
freaky to me. Gone are the days of "standardized," pure-HTML web pages.
A more subtle need for AV is so you don't pass along something infected
to someone else, even if you are totally diligent and don't get
infected.
-moy
] My apologies for going off-topic, but this list has always been a good source
]
]--
]You are subscribed to the Google Group "VDE_Editor".
]To unsubscribe, send email to vde_editor+...@googlegroups.com
]For more options, visit the group at http://groups.google.com/group/vde_editor
]Get VDE and related files at http://sites.google.com/site/vdeeditor/
]
dmccunney
>
> My apologies for going off-topic, but this list has always been a
> good source of recommendations for straightforward, efficient software
> generally, even for Windows. So, what's a good, simple, non-suite,
> low-impact antivirus solution for XP? I've become increasingly frustrated
> with Norton AV (which my laptop came with) and just let my "subscription"
> expire, only to discover that it's no longer just a question of updates;
> now, the whole program simply stops working until you pay up again! I call
> that extortion, so I just removed it and am looking for a replacement.
I've avoided the Norton consumer products like the plague. Too many
instances of "Does not play well with others", and acting a lot like
malware if you actually tried to remove it. As mentioned previously,
what I run is Symantec Corporate 9, courtesy of an employer site
license. It gets updates automatically once a week, and, and
generally has been trouble free and not resource intensive. (Not the
case, however, in the Win2K instance on my old notebook. It's broken
badly enough I probably have to reinstall 2K to get it back, and
Symantec seems to be the culprit. I spend most time on that box in
Linux, so it hasn't been a pressing concern.)
But in fact, the only things Symantec has actually *found* in several
years have all been false positives - it decided that some ancient DOS
programs I still keep around were virus ridden and deleted them. That
was mostly an annoyance: all of that stuff lives under the same
directory tree, so it waqs a matter of figuring out how to tell
Symantec "Don't examine *this* directory!", then copying in new copies
of what it had deleted from the distribution archives.
> Note that in 20+ years of using NAV I have never(!) encountered any
> threat that triggered it. Common sense works pretty well on its own: I run
> a real firewall (Comodo) with some malware defenses, and NoScript in
> Firefox, don't use MS Outlook, Word, or IE, don't click on things without
> thinking, etc. So, initially AVG and Comodo look pretty usable and
> non-extortionate, but how badly do I need an AV at all?
I have the same questions. I look at viruses as diseases. Diseases
have vectors by which they enter and infect the host. Ward the
vectors and block the disease.
By far the biggest vector for viruses is email and infected
attachments (helped by MS's default "Hide extensions for known file
types" setting in Windows Explorer, so you don't know that
cute-kitten-picture.jpg in your email is actually
cure-kitten-picture.jpg.EXE, and when you click on it to view it you
are pwned...)
I use GMail as my primary email, and it polls my ISP account and
others, so all mail appears in one Inbox. Attachments stay on
Google's servers, and only get downloaded if required. Google has
implemented viewers for just about every major file type, so it's
seldom necessary to actually download one. I can open and view it in
the browser.
I download a fair bit of software, but much of it is open source, and
all of it comes from known good sources that scan on their end. I
also get stuff through Bit Torrent, but the same applies. It's all
known-good. (I'm seeding the current Ubuntu release now, as it
happens.)
Looking back, about the only thing that might have bitten me was the
infamous Sony CD rootkit.
I keep Symantec around because it works fairly well and updates
automatically. I don't have to think about it. If it stopped
working, I might *not* replace it.
My SO just got a new HP laptop, to replace her older on that stopped
booting. Right now, it uses the built-in Windows firewall (which is
pretty good under Win7, with the main drawback being that configuring
*outbound* control is a PITA.) For A/V, I installed MS Essentials,
which includes A/V. I looked at that briefly under XP, but it used
too many resources. Under Win7 on a 64 bit machine it seems
reasonable so far. I'm not in a hurry to upgrade either. she's more
limited and conservative in her usage than I am, and even less likely
to encounter bad stuff, and she too uses GMail as her primary account.
I think you might well be safe enough running without A/V.
> -- Eric Meyer.
______
Dennis
Twin Cities Transplant
I'd like to be able to echo Dennis's sentiment about being "safe enough running without A/V", but I just can't bring myself to do that on a Windows machine. I think of myself as a knowledgeable and cautious user, and I still got hit by a drive-by (an infected ad on a legitimate Web site) several months ago. I knew instantly when it happened, because it started Java and tried to download and open a PDF, though I suspect that Flash may have been the actual vector. My Symantec product didn't identify and stop it. I had to take the machine offline, shut it down, and then clean it up with Malwarebytes' Anti-Malware (MBAM) the next day in my office.
On the topic of Symantec and Malwarebytes, I read an interesting article a couple of years ago about how Symantec support technicians were using MBAM during remote support sessions:
http://www.pcmag.com/article2/0,2817,2342634,00.asp
If those guys realize that it can do a better job than their own company's software when cleaning up certain messes, then that reinforces to me just how good the product is. I've used it before and since as one of the tools I use to detect and clean infections.
What you're looking for, though, is something to use before the fact: prevention. I would echo Dennis's plug for Microsoft Security Essentials. I've had it running on my mom's Vista notebook for awhile now, and it seems to have done a good job of protecting her. (I also have scheduled scans and updates with MBAM.) I also have limited experience with Avira in Windows, but the latest ratings of free security software from Consumer Reports give top marks to that and AVG, and I like the idea of something lightweight and supplemental, like ThreatFire (my SysAdmin at work likes Immunet, which I believe is similar).
One last thought: Moy raised the question of how successful you actually were in removing NAV. Symantec offers the Norton Removal Tool (http://www.symantec.com/symnrt) as a utility for cleaning up after their consumer products, so that might be something you'd want to look into.
Just my $0.02. In case I haven't said it here before, I still think VDE is pretty groovy. You should absolutely feel free to post off-topic, IMO.
Sean
dmccunney
<twincities...@gmail.com> wrote:
> Eric et al.,
>
> I'd like to be able to echo Dennis's sentiment about being "safe enough
> running without A/V", but I just can't bring myself to do that on a Windows
> machine. I think of myself as a knowledgeable and cautious user, and I
> still got hit by a drive-by (an infected ad on a legitimate Web site)
> several months ago. I knew instantly when it happened, because it started
> Java and tried to download and open a PDF, though I suspect that Flash may
> have been the actual vector. My Symantec product didn't identify and stop
> it. I had to take the machine offline, shut it down, and then clean it up
> with Malwarebytes' Anti-Malware (MBAM) the next day in my office.
A/V and malware are two different types of threats, and A/V software
will not block malware and vice versa. You discovered this when you
got hit. Symantec did not identify and block it. It's not intended
to. You need to use a different tool for that job. If you han't
been running A/V at all it would have made no difference.
I'd like to know a bit more about where you were and what you were
doing. I'd especially like to know what browser you were using. (I
strongly suspect IE.)
As mentioned, I run Firefox with the NoScript add-on. Firefox gets
kudos for being secure, but it's not the only alternative. Google
Chrome, Opera, and Safari also qualify. They are secure because they
*don't* support Active-X controls. (You can get an extension that
allows Firefox to do so, but it's a "Not recommended, and you better
know what you're doing" operation.) Most malware bounces off if IE is
not the browser in use.
For the same reasons that most viruses target Windows, most malware
targets IE, and uses security holes in Windows, IE, and the Active-X
mechanism to do "drive by installs". You can pick up something nasty
simply visiting an infected site, and be unaware you were infected
till your machine starts showing symptoms.
I run Firefox because the architecture makes it extensible, and I make
use of that. One addition is the NoScript extension. NoScript blocks
scripting activity unless the site is in a user maintained whitelist.
It defaults to blocking JavaScript, but can also block Java, Flash,
and Microsoft Silverlight. I also don't see the majority of ads.
Most folks run an extension called AdBlock Plus, which uses JavaScript
to scan pages looking for stuff to block. I'm not that fussy. I use
an extension called Stylish. Stylish allows you to apply arbitrary
CSS stylesheets (called UserStyles) to pages you view, based on the
page. I use a UserStyle called Ad Blocking Filterset P, which is also
under the hood in AdBlock. Filterset P defines a large number od ad
servers, and simply doesn't render content sourced from them.
I haven't had the sort of issue you encountered, because I have those
vectors warded.
> On the topic of Symantec and Malwarebytes, I read an interesting article a
> couple of years ago about how Symantec support technicians were using MBAM
> during remote support sessions:
>
> http://www.pcmag.com/article2/0,2817,2342634,00.asp
>
> If those guys realize that it can do a better job than their own company's
> software when cleaning up certain messes, then that reinforces to me just
> how good the product is. I've used it before and since as one of the tools
> I use to detect and clean infections.
I have and have use MalwareBytes. Yes, it will do a better job than
Symantec's software, as it addresses a different type of threat.
The only fail I've had with MalwareBytes was trying to disinfect a
friend's machine. She'd been abroad. Her cat sitter had apparently
gone places on the web and done things he shouldn't have done from her
machine, and when she returned it was trashed. MBAM did its best, but
the real problem was a rootkit, which was beyond even MBAM's
abilities, and the final solution was a new machine. (She'd been
planning to upgrade anyway - just not yet.)
I installed the free version, and update the databases periodically.
But I do "on-demand" scanning. I've have not bought the payware
version that offers real time protection, as I don't need it. (The
worst the on-demand scans ever find are things like "tracking"
cookies, which I consider a nuisance, not a threat.)
> What you're looking for, though, is something to use before the fact:
> prevention. I would echo Dennis's plug for Microsoft Security Essentials.
> I've had it running on my mom's Vista notebook for awhile now, and it seems
> to have done a good job of protecting her. (I also have scheduled scans and
> updates with MBAM.) I also have limited experience with Avira in Windows,
> but the latest ratings of free security software from Consumer Reports give
> top marks to that and AVG, and I like the idea of something lightweight and
> supplemental, like ThreatFire (my SysAdmin at work likes Immunet, which I
> believe is similar).
MSE is free, designed to work in Windows by the developers of Windows,
and seems to do the job.
I do *not* recommend it for XP. As mentioned, I looked at it here,
and it took too many resources on my 2.4ghz with 4GB RAM running XP
SP3. I was seeing CPU usage in the 20% range consistently, with
occasional spikes up from there. I do not see that with Symantec.
It seems to run fine on my SOs 64bit Win7 laptop with 4GB RAM.
I looked at the Comodo Firewall/Anti-virus combo for her box. I ran
Comodo Firewall here for a while, and it looked like the best of the
free firewall lot, though it was a little more cumbersome to configure
than I liked. I reverted to Sygate Personal Firewall, which I've run
for years, and has the best interface I've seen in a firewall. Sygate
was bought and killed off by Symantec, but the last freeware version
is widely available. It gets knocked for failing "leak tests", but I
don't care. Leak Tests assume the machine has been compromised by
something that will try to disable or bypass the firewall and phone
home, and tsts the ability of the product to defend itself. I find it
easier to simply not get compromised in the first place.
My concern about Comodo A/V is Comodo's ability to track and add
signatures for the vast variety of threats out there. Symantec and
McAfee are relatively big outfits which have been at this for decades.
Microsoft is a huge company with an intimate knowledge of the
products being protected. I wonder about Comodo's ability to keep up.
But this is a question, not a rejection, and Avira and AVG get good
reviews, too.
> One last thought: Moy raised the question of how successful you actually
> were in removing NAV. Symantec offers the Norton Removal Tool
> (http://www.symantec.com/symnrt) as a utility for cleaning up after their
> consumer products, so that might be something you'd want to look into.
Thanks for mentioning this. The fact that it's *needed* does not say
good things, but it's there and reported to work.
> Just my $0.02. In case I haven't said it here before, I still think VDE is
> pretty groovy. You should absolutely feel free to post off-topic, IMO.
Since Eric is VDE's author, and the list is devoted to his product, I
think he has the right to post about anything he wants. *I* won't
complain.
And speaking as List Manager, I don't get upset about off-topic
rambles. I see these conversations like Little Bo Peep's lost sheep
-leave then alone and they'll come home... I've been moderating here
and there since the MS-DOS days, and off-topic conversations generally
wandered back on target with no action by me beyond waiting a bit.
> Sean
______
Dennis
Twin Cities Transplant
A/V and malware are two different types of threats, and A/V softwarewill not block malware and vice versa.
Symantec did not identify and block it. It's not intended
to.
I'd like to know a bit more about where you were and what you were
doing. I'd especially like to know what browser you were using. (I
strongly suspect IE.)
- I used to work in a clinic where the electronic health record interface was all Web-based and required ActiveX controls to run.
- Our users are standardized to MSIE, so I frequently test with MSIE.
Most malware bounces off if IE is not the browser in use.
You can pick up something nasty
simply visiting an infected site, and be unaware you were infected
till your machine starts showing symptoms.
The only fail I've had with MalwareBytes was trying to disinfect afriend's machine. She'd been abroad. Her cat sitter had apparently
gone places on the web and done things he shouldn't have done from her
machine, and when she returned it was trashed. MBAM did its best, but
the real problem was a rootkit, which was beyond even MBAM's
abilities, and the final solution was a new machine. (She'd been
planning to upgrade anyway - just not yet.)
> One last thought: Moy raised the question of how successful you actually> were in removing NAV. Symantec offers the Norton Removal ToolThanks for mentioning this. The fact that it's *needed* does not say
> (http://www.symantec.com/symnrt) as a utility for cleaning up after their
> consumer products, so that might be something you'd want to look into.
good things, but it's there and reported to work.
Moy Wong
]
]Since Eric is VDE's author, and the list is devoted to his product, I
]think he has the right to post about anything he wants. *I* won't
]complain.
]
]And speaking as List Manager, I don't get upset about off-topic
]rambles. I see these conversations like Little Bo Peep's lost sheep
]-leave then alone and they'll come home... I've been moderating here
]and there since the MS-DOS days, and off-topic conversations generally
]wandered back on target with no action by me beyond waiting a bit.
OK, I'll bite:
VDE does *not* autoexecute anything, nor does it utilize
those blasted Word macros, so now, we're magically back on topic :^)
-moy
Eric Meyer
> I use ClamWin http://www.clamwin.com/ to scan files manually.
Thanks, I'll look into that. I like the idea of something lightweight to
just do occasional manual scans with, since that's all I ever used NAV for
anyway. In the meantime, I am of course aware that I still benefit from
having virtually everybody *else* run and suffer with AVs, because that's
partly why I don't see incoming threats myself. But mostly these products,
with all their awkward overhead, are designed as last-ditch protection for the
vast majority of people who aren't going to protect themselves, which I always
have.
> I'm wondering how successful you were at "removing" NAV.
Warnings about disaster "uninstalling" NAV (and to be fair, other AVs) with
Windows are all over the web. Symantec actually has their own Removal Tool
for that, which I used and appears to work flawlessly. (There's a delicious
irony there: of course they have no incentive to help you switch to something
else. The only reason this appears to exist is that attempts to install or
update Norton products so frequently fail, requiring a tool to clean up the
mess and try again. It must save them an immense amount of customer support.)
Of course this is why I want to consider carefully before installing another AV.
Dennis wrote:
> But in fact, the only things Symantec has actually *found* in several
> years have all been false positives - it decided that some ancient DOS
> programs I still keep around were virus ridden...
My experience exactly.
> Google has implemented viewers for just about every major file type,
> so it's seldom necessary to actually download one.
Thanks for mentioning that. I'm accustomed to a POP client (Thunderbird),
but will remember that online Gmail could be a safer way of dealing with
attachments.
> Looking back, about the only thing that might have bitten me was the
> infamous Sony CD rootkit.
Hadn't you turned auto-run off, or did it find a way around that?
> I've been moderating here and there since the MS-DOS days, and off-topic
> conversations generally wandered back on target with no action by me
> beyond waiting a bit.
I think the connection here is really that VDE users are likely to remember
the days when software was efficient and behaved itself and your computer was
reliably under your control, and to have a common interest in finding ways to
keep things as much like that as possible in a world that no longer is.
-- Eric Meyer.
Moy Wong
]You can split hairs if you want, but these days I tend to lump it all under
]the "malware" umbrella. I understand that there are lots of different types
I'm with you. If it's bad, I want to know how it works--then how to
break it--in order to protect myself.
]"Virus/Malware" and "Spyware/Grayware"), which is why I like the idea of
Oh, geeze, "Grayware"??? That's as annoying as our local TV weather
reporters using words like "futurecast" and "daypart."
]I felt somewhat-smugly safe while using Firefox (and I still believe it's
]far superior to MSIE for a number of reasons) until this drive-by. I didn't
]have to click anything to get the infection. I just landed on the page, and
]BOOM! For the record, it was a band's site with a Flash-based streaming
]audio player embedded in the page, and the site also happened to be
Could the threat have arrived via the "embedded player," which I believe
commands your browser to execute *their* media player instead of using
one of your installed ones?
Speaking of "landing" on a web page, that reminded me of one horrific
epiphany I had:
I was working for a company that was converting their email system to
MS-Exchange and Outlook. I found it was all too easy (it may have even
been the default setting) to set Outlook to display something called a
"Preview Pane."
Preview Pane (which I believed was somehow heavily interlocked with IE)
automagically displays the contents of the first new email, in all its
web-enabled glory, "without" opening it. I thought--"Gee, it's sort of
an "autoexec" situation for e-mails!" In other words, your machine is
reaching out and connecting to all kinds of stuff on the web just by
your launching Outlook! One juicy malware-spam in your Inbox would
probably have gotten that machine infected without anyone "doing"
anything.
]> > One last thought: Moy raised the question of how successful you actually
]> > were in removing NAV. Symantec offers the Norton Removal Tool
]> > (http://www.symantec.com/symnrt) as a utility for cleaning up after
]> their
]> > consumer products, so that might be something you'd want to look into.
Thanks, I did not know there was such thing for NAV. Although "removal
tool" is sounding a bit like a euphemism...
-moy
Moy Wong
]
] > I've been moderating here and there since the MS-DOS days, and off-topic
] > conversations generally wandered back on target with no action by me
] > beyond waiting a bit.
]
] I think the connection here is really that VDE users are likely to remember
]the days when software was efficient and behaved itself and your computer was
]reliably under your control, and to have a common interest in finding ways to
]keep things as much like that as possible in a world that no longer is.
]
] -- Eric Meyer.
Ah, excuse me, gentlemen--remember "Stoned," "Michelangelo," and all
those other fun boot-sector viruses? Floppies *always* wanted to
"autorun"--that's called booting from a floppy. Or how about anything
that would put more device drivers in CONFIG.SYS and screw with %PATH%
in AUTOEXEC.BAT, or that trashed COMMAND.COM? And don't get me going on
TSRs.
Oops, I just went off-topic.
-moy
Twin Cities Transplant
I think the connection here is really that VDE users are likely to remember the days when software was efficient and behaved itself and your computer was reliably under your control, and to have a common interest in finding ways to keep things as much like that as possible in a world that no longer is.
Gary Welles
exposed to and how to deal with them.
Their Reading Room has nontechnical articles:
http://www.us-cert.gov/reading_room/
from which one can wander into the technical weeds.
Australia's CERT <http://www.auscert.org.au> has similar
articles.
Among them a widely referenced 2006 study that found popular
anti-virus software _missed_ 80% of _new_ viruses. No surprise
that a competent virus programmer would first test against
Norton A/V and the like to see that it wouldn't be detected.
Having heard good things about Kasperky A/V, I once amused
myself by uploading dodgy email attachments them to for
checking. Resubmitting the ones deemed o.k., I found they
would identify them as virus/trojans after about 4-24 hours.
Those attachments are now rare, replaced with links to
fraud/maleware web address which are more effective in
catching out web mail users. My Opera browser would check
those IP addresses against a blacklist before attempting to
load the pages, but my curiosity isn't that great.
-- Gary
Twin Cities Transplant
]I felt somewhat-smugly safe while using Firefox (and I still believe it's
]far superior to MSIE for a number of reasons) until this drive-by. I didn'tCould the threat have arrived via the "embedded player," which I believe
]have to click anything to get the infection. I just landed on the page, and
]BOOM! For the record, it was a band's site with a Flash-based streaming
]audio player embedded in the page, and the site also happened to be
commands your browser to execute *their* media player instead of using
one of your installed ones?
Speaking of "landing" on a web page, that reminded me of one horrific
epiphany I had:
I was working for a company that was converting their email system to
MS-Exchange and Outlook. I found it was all too easy (it may have even
been the default setting) to set Outlook to display something called a
"Preview Pane."
]> > One last thought: Moy raised the question of how successful you actually
]> > were in removing NAV. Symantec offers the Norton Removal ToolThanks, I did not know there was such thing for NAV. Although "removal
]> > (http://www.symantec.com/symnrt) as a utility for cleaning up after
]> their
]> > consumer products, so that might be something you'd want to look into.
tool" is sounding a bit like a euphemism...
Twin Cities Transplant
Having heard good things about Kasperky A/V, I once amused myself by uploading dodgy email attachments them to for checking. Resubmitting the ones deemed o.k., I found they would identify them as virus/trojans after about 4-24 hours.
Eric Meyer
> Ah, excuse me, gentlemen--remember "Stoned," "Michelangelo," and all
> those other fun boot-sector viruses? Floppies *always* wanted to
> "autorun"--that's called booting from a floppy.
Hmmm... I really don't recall that as common. Generally the disk label would
ask you to "run SETUP.COM" or whatever. I actually did once(!) encounter a
floppy with a BSV, but never considered those a serious threat because
sensible people didn't boot off random disks. (This one was from a software
library for the HP LX palmtop... but no reason you'd ever boot off it.) And a
larger proportion of users knew this back then, too. Today autorun is the
default, and who even knows you can turn it off?
Re: language, I just had to look up "scareware", which sort of makes sense
(though uncomfortably similar to shareware). But I've never heard "daypart"
around here, and hope it never catches on... ugh. Doubleplus ungood.
-- Eric Meyer.
dmccunney
>
> Dennis wrote:
>> But in fact, the only things Symantec has actually *found* in several
>> years have all been false positives - it decided that some ancient DOS
>> programs I still keep around were virus ridden...
>
> My experience exactly.
It used to have more luck when I was grabbing stuff from Usenet binary
groups, since that stuff wasn't A/V scanned at the other end. My ISP
dropped newsserver access entirely, so they went away. I found a free
newsserver or two that only carried the text groups, but that was fine
by me. Most newsgroups are spam traps. The few I want to read are
plain text groups, and I use Thunderbird as my newsreader.
>> Google has implemented viewers for just about every major file type,
>> so it's seldom necessary to actually download one.
>
> Thanks for mentioning that. I'm accustomed to a POP client
> (Thunderbird), but will remember that online Gmail could be a safer way of
> dealing with attachments.
I have a cable modem with 10mbit/second incoming. I also get a *lot*
of email. (I'm on some high volume lists.) I'm perfectly happy to
let it reside on Google's servers. For one thing, my GMail mailstore
is 7.5GB and counting, of which I've used a bit over half. I used to
use Outllook, and found out the hard way that Outlook through Office
2000 behaed *very* strangely if the mailbox.pst file went over 2GB in
size. (New mail didn't get delivered. Old mail spawned massive
amounts of duplicates.)
With GMail, I don't worry about mail bouncing because my Inbox on my
ISP's mailserver fills up before I get a chance to download it (which
happened occasionally in the past.) And GMail has the best spam
filters I've seen. It's Bayesian filtering, classifying agaisnt a
database of spam characteristics, but the database is generated from
the Report Spam clicks of *all* GMail users. I se new spam in my
Inbox perhaps once a week, and once reported, I don't see it again.
(I know folks who prefer to download via POP, but forward everything
through GMail to filter it first.)
I actually prefer the web interface, and my connection is fast enough
to make it very usable. GMail labels and filter work like Inbox rules
and folders, but with more flexibility - you can apply more than one
label to a message, and have it appear in more than one folder.
Effectively, my GMail mailstore is a database, searchable using
standard Google search mechanisms, and labels are arbitrary index
keys.
The addition of viewers for most file types means there is no need to
download the attachement to look at it. This is especially handy when
traveling, as the machine I'll use to view the attachement isn't the
one I'll want to store it on if I *do* download it.
>> Looking back, about the only thing that might have bitten me was the
>> infamous Sony CD rootkit.
>
> Hadn't you turned auto-run off, or did it find a way around that?
Neither. I seldom buy music CDs, and none are from Sony labels.
Autoplay off wouldn't have helped: the rootkit got installed by
playing the music, which is what you *do* with a music CD.
It might have bitten simply because CDs from a major company aren't
things you normally think of as dangerious.
The chap who first discovered the rootkit and publicized it to the web
was Mark Russinovitch, who did business back then with his partner
Bryce Cogswell as Sysinternals. Mark is a noted writer and lecturerer
on Windows programming, and I've often thought he knows more about
Windows internals than Microsoft. Microsoft thinks they know
something: they bought his company, and he and Bryce work in the Core
Architecture Group these days. I use Mark's Process Explorer as a
Task Manager replacement, and he has a lot of other stuff relased as
freeware that is worth adding to the toolkit. If *he* could get
bit...
(I did once get a virus at the office from a CD from a major software
vendor. I assumed they outsourced the production, and failed to
maintain property quality control.)
>> I've been moderating here and there since the MS-DOS days, and off-topic
>> conversations generally wandered back on target with no action by me
>> beyond waiting a bit.
>
> I think the connection here is really that VDE users are likely to
> remember the days when software was efficient and behaved itself and your
> computer was reliably under your control, and to have a common interest in
> finding ways to keep things as much like that as possible in a world that no
> longer is.
In part. Speaking personally, I don't at all mind the occasional off
topic thread. They've been uniformly interesting and informative.
Frankly, if that were the *only* sort of traffic here, I *still*
wouldn't mind. It's all been the sort of stuff I like to read.
Back in the BBS days, one of the folks in an area I moderated was a
programmer doing contract work for a company that made utilities for
SGI workstations running SGI's Irix flavor of Unix. They did a
customer satisfaction survey, and were taken aback by the results,
which were univerally positive. The general customer response was
"The stuff installs with no problem, behaves as it's documented to
behave, and runs like a top. If we ever have a problem, tech support
is very good and on top of it, but we never have to call them because
it Just Works."
It made them stop and say "Okay. What are we doing *right*, and how
do we make sure we keep doing it?"
VDE reminds me a bitof that. Mature, well developed, properly
documented, and largely bug free. There's not that much on topic
discussion to have.
dmccunney
<twincities...@gmail.com> wrote:
>> A/V and malware are two different types of threats, and A/V software
>> will not block malware and vice versa.
>
> You can split hairs if you want, but these days I tend to lump it all under
> the "malware" umbrella. I understand that there are lots of different types
> of attacks and vectors and lots of different labels based on how stuff is
> transmitted and what it does (viruses, rootkits, trojans, worms,
> fake-anti-virus, etc.). I just lump it all under the "bad stuff" label. I
> don't expect a single product to catch everything (although the corporate
> stuff we use in my office has separate labels in the logs for
> "Virus/Malware" and "Spyware/Grayware"), which is why I like the idea of
> layered security.
I'm not splitting hairs. You can lump it all under one nebulous
threat umbrella if you like. My point is that they are different
classes of threats using different vectors, and no one product
protects against all.
I like layered security too, but prefer "best of breed" to the "all in
one" products that try to offer firewall, A/V, and anti-malware in one
package.
But point was and remains simple. What bit you *wasn't* a virus, and
anti-virus software would not (and *did* not) protect you.
I reiterate that Eric might be safe enough dropping A/V entirely, and
long as other threats have defenses in place.
>> Symantec did not identify and block it. It's not intended to.
>
> I don't know if that's true. From my perspective, the security companies
> seem to be packaging broader detection/cleanup capabilities into their
> products these days. Again, though, I wouldn't expect a single product to
> catch everything, and that's a big reason why I tend to use a handful of
> different scanners whenever I do a clean-up on someone else's PC.
If what you have is an anti-*virus* product, you should not expect it
to also catch malware. As mentioned, I have Symantec Corporate 9
here. It is not an anti-malware product, and I do not *expect* it to
be. I do not assume it will defend against the sort of thing that bit
you, and will not be disappointed that it doesn't. That's not it's
job.
>> I'd like to know a bit more about where you were and what you were
>> doing. I'd especially like to know what browser you were using. (I
>> strongly suspect IE.)
>
> It was the current production version of Firefox at the time, but I was not
> running NoScript. (I'll have to look into that one.) My current browser
As mentioned, it uses a user maintained whitelist to decide whether to
permit scripting. Compiling that list is a bit time consuming, as you
must do it for each "safe" site you visit. And some sites reference
material on other sites, and you may have to whitelist the sites they
link to to get things to work as expected.
But once trained, it's unobtrusive, and would probably have blocked
the exploit that bit you.
The same author has another extension that specifically blocks Flash,
so it plays only if you let it.
> choices are Firefox, then Chrome, then take your pick. (On some Linux
> systems, I like GNU IceCat because of how its scripting abilities are
> strictly limited by default.)
I have FF, Chrome, Opera, Safari, and a few other things installed
here. FF is first choice, and the others are largely to keep up on
the browser market.
On my old notebook under Linux, I don't even try to run FF. It has an
867mhz CPU, 256MB RAM, and a slow (UDMA4) HD. Current FF builds take
45 seconds just to load and initialize with a minimal configuration,
and are sluggish once up. On that box, a recent version of Midori
(based on Webkit, as is Safari) is a much better fit.
> I avoid IE like the plague and have for years
> with two exceptions:
> I used to work in a clinic where the electronic health record interface was
> all Web-based and required ActiveX controls to run.
I had that issue at a former employer, whose electronic timesheet
application used Active-X. I used Firefox for everything *else*. (I
was on the IT staff, had domain admin rights, and could install what I
liked. I did so...)
> Our users are standardized to MSIE, so I frequently test with MSIE.
I keep IE 8 around for compatibility tests. I'm seeing a lot less
that works in IE but not elsewhere.
>> Most malware bounces off if IE is not the browser in use.
>
> I felt somewhat-smugly safe while using Firefox (and I still believe it's
> far superior to MSIE for a number of reasons) until this drive-by. I didn't
> have to click anything to get the infection. I just landed on the page, and
> BOOM! For the record, it was a band's site with a Flash-based streaming
> audio player embedded in the page, and the site also happened to be
> displaying advertisements, which I believe (from researching my infection
> after the fact) were the source of the infection.
Rogue ads are problems. A Linux oriented web board I'm on had a
problem like that. It was made more difficult by the fact that their
ads were provided by an aggregator who packaged ads for sites, and
identifying just which ad it was was problematic. They dropped the
aggregator, and ads these days are from a Linux utility vendor. The
site owner just wants to cover the direct costs, and those do it.
>> The only fail I've had with MalwareBytes was trying to disinfect a
>> friend's machine. She'd been abroad. Her cat sitter had apparently
>> gone places on the web and done things he shouldn't have done from her
>> machine, and when she returned it was trashed. MBAM did its best, but
>> the real problem was a rootkit, which was beyond even MBAM's
>> abilities, and the final solution was a new machine. (She'd been
>> planning to upgrade anyway - just not yet.)
>
> Did you or your friend happen to try VIPRE Rescue? It has some anti-rootkit
> capabilities and also plays well with MBAM. You can get to them both from
> the same site: http://vipre.malwarebytes.org/
No, she decided to get a new machine before I got to that point. The
old machine is still there, and I'm welcome to the carcass if I want
it to wipe and install Linux. Maybe later. I have too many machines
awaiting my attention.
______
Dennis
Gary Welles
> Google has implemented viewers for just about every major
> file type, so it's seldom necessary to actually download
> one.
and Eric suggests:
> Thanks for mentioning that. I'm accustomed to a POP
> client (Thunderbird), but will remember that online Gmail
> could be a safer way of dealing with attachments.
Contrary to popular belief, merely downloading email with
attachments will not infect your computer. One would need to
open the attachment. Just opening the message wouldn't be
enough to infect unless the POP client were to automatically
open attachments.
As Google has yet to implement a trojan/virus viewer, one
would still have to download that attachment were so anxious
to open.
On the other hand reading email with web based clients such as
GMail, makes it extremely easy to follow the now prevalent
booby trapped web links. A high speed connection, one Oops!
and your toast.
-- Gary
dmccunney
> Dennis writes:
>>
>> Google has implemented viewers for just about every major file type, so
>> it's seldom necessary to actually download one.
>
> and Eric suggests:
>>
>> Thanks for mentioning that. I'm accustomed to a POP client
>> (Thunderbird), but will remember that online Gmail could be a safer way of
>> dealing with attachments.
>
> Contrary to popular belief, merely downloading email with attachments will
> not infect your computer. One would need to open the attachment. Just
> opening the message wouldn't be enough to infect unless the POP client were
> to automatically open attachments.
Agreed. Part of the problem was the default behavior of Outlook,
which was to display a Preview Pane with a snippet of the message for
messages in the Inbox. It had to open them to do that. It also
supported HTML email, and people were crafting stuff in HTML.
At a former employer, we had to turn off the Preview Pane "feature".
> As Google has yet to implement a trojan/virus viewer, one would still have
> to download that attachment were so anxious to open.
You could open the message. You just couldn't see/execute the trojan.
But this is another area GMail does well. Attachments are all scanned
on their end. And in a move that actually annoys me but can be
considered more secure, they reject attachments with executables.
It's possible to get around that, but it takes extra work on my end
and the recipient's end, and they don't document what they consider
executable. I had a zip archive containing HTML and gifs (which would
reproduce a website) rejected, apparently because you could click on
the attachment, open it, and execute the HTML in it. I have a Yahoo
account I keep around precisely for the occasions on which I do need
to send an executable (in a zip archive) in an attachment, because
Yahoo permits that.
I don't see executable attachments because GMail doesn't allow them.
And I don't see the booby trapped web links, because GMail identifies
such things as spam and it doesn't show in my Inbox.
> On the other hand reading email with web based clients such as GMail, makes
> it extremely easy to follow the now prevalent booby trapped web links. A
> high speed connection, one Oops! and your toast.
The problem there is "high speed connection". I had the same
vulnerability when I had broadband and ran Outlook. HTML links in
email opened in my browser. It was one click, and just as easy as
doing everything web based. It just took a few moments longer if the
browser wasn't already open.
> -- Gary
______
Dennis
Mark P. Fishman
> Dennis wrote:
>> Looking back, about the only thing that might have bitten me was theNeither. I seldom buy music CDs, and none are from Sony labels.
>> infamous Sony CD rootkit.
>
> Hadn't you turned auto-run off, or did it find a way around that?
Autoplay off wouldn't have helped: the rootkit got installed by
playing the music, which is what you *do* with a music CD.
The Sony rootkit was in a data session that would not be seen on an audio player because audio players see/use only the first session of a multisession disc. A computer prefers to read the last session, and has to be forced (by trickery) to do anything else.
In Sony's case, the rootkit was installed in the usual fashion of a Trojan program that used the autorun "feature" of MS-Windows and offered to do something moderately enticing (like let the computer play the music tracks). By that point the rootkit was already installed.
Turning off autorun and autoplay definitely helped, as long as the user didn't then deliberately run the software in the data session. (You can't fix stupid.)
Oh, and autorun is not the same as autoplay, at least in Microsoft-speak. Autorun executes code; autoplay scans the disc to decide whether it contains something (e.g., music, video, photos) that Windows knows how to handle, and can offer to start a program for you (like a DVD player, or a photo viewer). I turn them both off, for ALL drives (CD, HD, floppy, USB-stick).
-- Mark F.
--
"Prejudice, not being founded on reason, cannot be removed by argument."
-- (mis)attributed to Samuel Johnson
Moy Wong
I tend to disagree, but that depends on your definition of "download."
Seeing how everything has become webbified, know that many people now
use some sort of web browser (or an e-mail client that itself can reach
out to the Internet) to get their e-mail. One need not knowingly
"execute" anything other than launching their mail client to get a rogue
program(scary). Your friendly application might just do that
automagically.
-moy
]> could be a safer way of dealing with attachments.
Moy Wong
Lots of email now are in HTML, which can easily embed links to unclean
URLs. These might get "displayed" like inline graphics--but your e-mail
client is actually grabbing the graphic (and or malware) from the
Internet via the embedded address. Sometimes, the URL is obscured by
being encoded in hex or octal. So no, you're not even dealing with MIME
attachments in order to "open" something unwanted.
The benign manifestation of this kind of e-mail are some of the ones
where the sender embeds animated smileys or cutesy backgrounds via a
service run by some smiley website.
-m
]> Contrary to popular belief, merely downloading email with attachments will
]
Mark P. Fishman
The problem is that some of your mail, like some web sites, might turn out to be completely devoid of content under such settings. (Often they are devoid of content anyway, but that's a different problem.)
Ultimately, you could run a bridged VM just to read e-mail and browse the web, and revert to a known-good disk image when shutting down; or you can do the same thing from a live-CD version of Linux, and have no writeable media in the computer at all.
-- Mark F.
Gary Welles
> I tend to disagree, but that depends on your definition of
> "download."
I admit I was troubled using "download" when I'm thinking of
the POP3.exe I normally use. The mail retrieved is harmless
text one could open with VDE. However your software might
interpret it is where the security device between the chair
and the console comes in.
As Mark explains:
> There are ways to minimize some of these risks. . . .
I frequently resort to rummaging through entire messages
with a text viewer to see where HTML links point.
-- Gary
Moy Wong
]Moy puzzles:
]
]> I tend to disagree, but that depends on your definition of
]> "download."
]
]I admit I was troubled using "download" when I'm thinking of
]the POP3.exe I normally use. The mail retrieved is harmless
]text one could open with VDE. However your software might
]interpret it is where the security device between the chair
]and the console comes in.
]
Oh, I totally agree with that definition--one could not see the email
*unless* it got downloaded at some point.
However, I like the notion of "harmless" text. I think email, at its
heart, *is* text (RFC822). It is always what the receiving program
*does* with its input that gives malware its power. I tend to use unix
'mail' for my e-mail. No chance of virus or malware transmission there,
'mail' doesn't even know what to do with an attachment--I get to see the
attachment as a string of ASCII--and 'mail' isn't even running on my
equipment.
For a lot of these virus-type behaviors, think "auto." And whether you
*need* to have that specific function work automatically. Boot-sector
viruses depended on the majority of PCs following the standard: "I must
execute code from sector 0 of any mounted floppy on startup" Word macros
viruses enjoyed Word's imperative "I must execute any auto-run macro
when I open a document." Ditto for "autorun" for CDs, or even USB
drives. E-mails that have to be read as HTML, same thing.
We have started to forget how things actually work.
-moy
]As Mark explains:
Twin Cities Transplant
I like layered security too, but prefer "best of breed" to the "all in
one" products that try to offer firewall, A/V, and anti-malware in one
package.
I've heard from other authorities who recommend against throwing security products (firewall, anti-virus, anti-malware) from different vendors onto the same box, because they often do not play well with one another. Kinda makes me think of the adage that "opinions are like...." (I won't finish the phrase here, but everybody has one.)
On that box, a recent version of Midori (based on Webkit, as is Safari)
...as is Chrome....
> I avoid IE like the plague and have for yearsI had that issue at a former employer, whose electronic timesheet
> with two exceptions:
> I used to work in a clinic where the electronic health record interface was
> all Web-based and required ActiveX controls to run.
application used Active-X. I used Firefox for everything *else*. (I
was on the IT staff, had domain admin rights, and could install what I
liked. I did so...)
This is one reason I preferred to use my own notebook in the clinic. (The other is that I type with a Dvorak layout and got tired of switching it when I would check out a laptop at the start of a clinic shift and then resetting before turning the machine back in when I was finished.) I used MSIE for the EMR only. When I needed to do other Web stuff (including educating patients and directing them to reputable sites for health information), Firefox was my friend. It still is.
> Did you or your friend happen to try VIPRE Rescue? It has some anti-rootkitNo, she decided to get a new machine before I got to that point. The
> capabilities and also plays well with MBAM. You can get to them both from
> the same site: http://vipre.malwarebytes.org/
old machine is still there, and I'm welcome to the carcass if I want
it to wipe and install Linux. Maybe later. I have too many machines
awaiting my attention.
I understand how that is, and VIPRE Rescue certainly isn't your only anti-rootkit solution. I just pulled that one because the MBAM folk have partnered with that vendor as a complementary tool.
Sean
Twin Cities Transplant
>> Looking back, about the only thing that might have bitten me was theNeither. I seldom buy music CDs, and none are from Sony labels.
>> infamous Sony CD rootkit.
>
> Hadn't you turned auto-run off, or did it find a way around that?
Autoplay off wouldn't have helped: the rootkit got installed by
playing the music, which is what you *do* with a music CD.
Ummm, NO. Music (on a computer) is data and the programs that take it as an appropriate form of data DO NOT EXECUTE IT. If a "music" track contains executable code then playing it on an audio player would produce audible noise.
The Sony rootkit was in a data session that would not be seen on an audio player because audio players see/use only the first session of a multisession disc. A computer prefers to read the last session, and has to be forced (by trickery) to do anything else.
In Sony's case, the rootkit was installed in the usual fashion of a Trojan program that used the autorun "feature" of MS-Windows and offered to do something moderately enticing (like let the computer play the music tracks). By that point the rootkit was already installed.
Turning off autorun and autoplay definitely helped, as long as the user didn't then deliberately run the software in the data session. (You can't fix stupid.)
Yeah. What he said. I know for a fact that at least one of the CDs I own has the Sony rootkit on it, but it never bit me--even when I played the CD in a PC--because I didn't let that drive AutoPlay or Autorun anything and because with that CD I was just listening to music (from the first session) and not allowing it to execute code.
Sean
Twin Cities Transplant
The problem is that some of your mail, like some web sites, might turn out to be completely devoid of content under such settings. (Often they are devoid of content anyway, but that's a different problem.)
Thank you, Mark. I needed that.
Sean
Gary Welles
> I tend to use unix 'mail' for my e-mail.
and has one upped me again as I tend to the overly enhanced
'vmail'. There's hope for me, as it appears I once made a go
at configuring out 'mail':
C:\>mail
Mail: EDITOR=vde.exe -- command not found.
Mail: SHELL=4DOS.com -- command not found.
Mail: crt=25 -- command not found.
FTP Software mail 3.0 06/30/94 02:39
No mail.
and it seems simple enough, no?:
C:\>mail /?
Usage (to read): mail [-v] [-d] [-i] [-n] [-m] [-f/-u {file-name/user-name}]
(to send): mail [-v] [-d] [-i] [-n] [-s {subject}] user-name [user-name]
Probably easier than figuring out how to get the typical email
client to do what you want and stop "auto" doing what you
don't.
Wonder if there's a "GMail /?"?
-- Gary
dmccunney
> There are ways to minimize some of these risks. For example, MS-Outlook can
> be set to read all mail in plain text. HTML mail displays a small banner
> informing the user that the original HTML version is not displayed; only the
> text in the mail is displayed. Then you can decide whether to risk looking
> at the HTML. Thunderbird can be set not to display remote graphics without
> user permission. Or you can just run Pine, which doesn't do much for or to
> you.
This can be problematic in a corporate setting, where Outlook rules.
One thing I did was force Outlook to *create* any mail I sent as plain
text (and would often *reply* in plain text to HTML mail as a hint to
the sender. I found out the hard way that my good intentions did not
extend off our internal network, when mail I sent outside was seen and
rejected because it wasn't plain text. Exchange Server was sending it
as HTML, and the Exchange admin had to search for the setting that
controlled that after I complained.
> The problem is that some of your mail, like some web sites, might turn out
> to be completely devoid of content under such settings. (Often they are
> devoid of content anyway, but that's a different problem.)
By default, I send and receive email in plain text. But I can't
realistically force all who send mail to send as plain text, and I
don't especially want to. A lot of it has reason to be in HTML with
embedded graphics. It's far easier to simply block the garbage from
getting into my Inbox at all.
> Ultimately, you could run a bridged VM just to read e-mail and browse the
> web, and revert to a known-good disk image when shutting down; or you can do
> the same thing from a live-CD version of Linux, and have no writeable media
> in the computer at all.
I could, but don't. That's not only more trouble than I feel like
going through - it's a lot more trouble than I *need* to go through.
I have layered defenses and a standard approach to email and web
browsing, and I have not been bitten by a virus or spyware/malware in
literally decades. None of my A/V or anti-spyware/malware tools ever
find anything, either. The worst they ever find are "tracking"
cookies, and I consider those at worst a nuisance.
(If you run Firefox or Google Chrome, look at Ghostery, an extension
designed to track and optionally block such things. See
http://www.ghostery.com/)
> -- Mark F.
_____
Dennis
dmccunney
>
> Lots of email now are in HTML, which can easily embed links to unclean
> URLs. These might get "displayed" like inline graphics--but your e-mail
> client is actually grabbing the graphic (and or malware) from the
> Internet via the embedded address. Sometimes, the URL is obscured by
> being encoded in hex or octal. So no, you're not even dealing with MIME
> attachments in order to "open" something unwanted.
>
> The benign manifestation of this kind of e-mail are some of the ones
> where the sender embeds animated smileys or cutesy backgrounds via a
> service run by some smiley website.
<shrug> So? The biggest problems on that line are phishing emails,
where the address displayed in the HTML email is not the one you will
actually be sent to.
I get boatloads of those, but never see them unless I choose to -
GMail's filters detect them as phishes, and they go to the Spam label,
where they are deleted automatically in 30 days if I don't do so
first. I look at them occasionally just to see what the pitch is.
Some of them are unintentionally hilarious.
When I was still using Outlook, I ran an open source spam filtering
package called SpamBayes. It installed as an Outlook plugin, and used
Bayesian filtering to classify mail. You trained it by providing
sample of good mail and of spam, and it built a database of spam
characteristics it used to classify incoming mail. I never saw it
make a mistake on stuff it was sure was spam, and saw only a handful
of false positives on stuff it wasn't sure of. SpamBayes can be
installed as a proxy server, sitting between your ISP's mail feed and
your email client if you don't run Outlook. And while Thunderbird has
it's own Bayesian spam filtering, there's an extension that will let
you configure it to use SpamBayes instead.
See http://spambayes.sourceforge.net
> -m
______
Dennis
dmccunney
<twincities...@gmail.com> wrote:
> On Thu, Jun 23, 2011 at 10:36 PM, dmccunney <dennis....@gmail.com>
> wrote:
>>
>> I like layered security too, but prefer "best of breed" to the "all in
>> one" products that try to offer firewall, A/V, and anti-malware in one
>> package.
>
> I've heard from other authorities who recommend against throwing security
> products (firewall, anti-virus, anti-malware) from different vendors onto
> the same box, because they often do not play well with one another. Kinda
> makes me think of the adage that "opinions are like...." (I won't finish
> the phrase here, but everybody has one.)
You can make a valid case for either approach. The choice comes down
to your knowledge and comfort level. For instance, you correctly
praise Malware Byes anti-malware. That's an independent product, and
not part of anyone's "All-in-one" suite. (I'm a little surprised I
haven't heard of an offer to buy them from Symantec or McAfee.)
I use an old and no longer offered firewall product - the last
freeware version of Sygate Personal Firewall - because I like the
interface and it does what is needed. I could probably drop it on the
desktop because there's a hardware firewall in my router, but keep it
about for outgoing control. (I have Windows Firewall enabled, too.
MS says don't do that, but they've played together fine as long as
I've used them.)
I use Symantec Corporate for A/V because it was install and forget,
but if it *stops* working, I may *not* replace it. The primary vector
for viruses is infected attachments in email. These days, my email is
entirely web based and I seldom download email attachments. Anything
I get by other means is scanned on the other end first. These days,
actual viruses are the least of my worries. Malware is a far greater
threat, but not one I worry about of lose sleep over.
I have things like Ad Aware, Spybot Search and Destroy, and Malware
Bytes to check for spyware/malware. They never find anything. Stuff
like that uses the browser as a vector, and I run a secure browser
with additional level of validation and filtering beyond what it
offers, so spy/malware is highly unlikely to get onto my system. I
know how to respond if it does, but haven't had to.
Ultimately, I prefer to simply keep bad stuff from getting on my
system in the first place. So far, I'm succeeding.
>> On that box, a recent version of Midori (based on Webkit, as is Safari)
>
> ...as is Chrome....
And Safari.
At this point, the major engines out there are IE's Trident, Webkit,
Opera's Presto, and Mozilla Gecko.
I have one browser installed called Lunascape that can use Trident,
Webkit, or Gecko to render a page, as you choose. See
http://www.lunascape.tv/
>> I had that issue at a former employer, whose electronic timesheet
>> application used Active-X. I used Firefox for everything *else*. (I
>> was on the IT staff, had domain admin rights, and could install what I
>> liked. I did so...)
>
> This is one reason I preferred to use my own notebook in the clinic. (The
> other is that I type with a Dvorak layout and got tired of switching it when
> I would check out a laptop at the start of a clinic shift and then resetting
> before turning the machine back in when I was finished.) I used MSIE for
> the EMR only. When I needed to do other Web stuff (including educating
> patients and directing them to reputable sites for health information),
> Firefox was my friend. It still is.
:-)
>> > Did you or your friend happen to try VIPRE Rescue? It has some
>> > anti-rootkit capabilities and also plays well with MBAM. You can get to
>> > them both from the same site: http://vipre.malwarebytes.org/
>>
>> No, she decided to get a new machine before I got to that point. The
>> old machine is still there, and I'm welcome to the carcass if I want
>> it to wipe and install Linux. Maybe later. I have too many machines
>> awaiting my attention.
>
> I understand how that is, and VIPRE Rescue certainly isn't your only
> anti-rootkit solution. I just pulled that one because the MBAM folk have
> partnered with that vendor as a complementary tool.
Noted for future reference. I'm aware of an assortment of rootkit
removal tools. With luck, I won't have cause to resort to them.
She wound up getting a Dell all-in-one (where the system is built into
the display) running Win7. I had previously backed up her data from
the old machine, and got her My Documents folder transplanted and got
her Firefox and Thunderbird profiles migrated, so she was happy. The
new box is a lot faster than the old one.
> Sean
______
Dennis
Gary Welles
> The biggest problems on that line are phishing emails, where
> the address displayed in the HTML email is not the one you
> will actually be sent to.
If your email client is configured to display the text/plain
part as Mark and the email article in the US-CERT Reading Room
<http://www.us-cert.gov/reading_room/> suggest, you'll only
have the displayed address. Otherwise it may be best to get in
the habit of copying underlying links to the browser address
bar where they can be inspected first rather than "click
here".
-- Gary
Moy Wong
]> Lots of email now are in HTML, which can easily embed links to unclean
]> URLs. These might get "displayed" like inline graphics--but your e-mail
[...]
]<shrug> So? The biggest problems on that line are phishing emails,
]where the address displayed in the HTML email is not the one you will
]actually be sent to.
<Shrug>? The problem is the needless "autoexec" behavior of some e-mail
clients. I personally am averse to running anything on my computer that
someone else can "control" with little more than a strangely crafted
message to my email address.
By way of analogy, I'd rather disable a PC's ability to boot from a
floppy than to upgrade the BIOS to detect whether it's booting from a
legitimate boot floppy.
Also, I'd like to open the e-mail (if even to read it for entertainment
purposes) without my mail client acting as a beacon for spammers,
telling them that I've not only opened their message, but have reached
out to every URL that it wanted me to touch.
I'm not against filtering, though. Filter the heck out of your email
stream, but don't allow your mail client to give the spammers any rope!
-moy
dmccunney
In Gmail, the "Show Original" option from the drop down menu shows me
the raw message without interpreting the HTML formatting. For that
matter, if I hover the cursor over the link displayed in email, the
actual underlying URL it really points to is displayed in the browser
status bar.
I do "Show Original" once in a while out of curiosity - I know it's a
phish, but I wonder where it's really trying to send me. The servers
it wants me to connect to are generally in China, Romania, or the
like, which is no surprise.
I know it's a phish because GMail's filters catch it, and there's a
"Report Phishing" option in Gmail as well as a Report Spam" function.
All suspected phish mail has a big red warning box at the top if you
open and display it. The odd phish gets through marked only as as
spam. I generally look long enough to mark them phishes as well
before deleting.
Depending upon who it claims to be from, I sometimes forward such
things to abuse@<whoever>.com, just to make sure the targeted entity
(usually a bank) is aware they are the target of a phish. (And this
can be frustrating, as in the case of the financial institution that
refused to accept email as a spam/malware defense, wouldn't *let* me
forward the phish for inspection, and insisted I use a web based
comment form to communicate. Serves you right if you get nailed,
guys...)
There's a limit to how much technology can do to mitigate the threat.
Ultimately, phishes are social engineering, relying on greed,
ignorance, credulity, and/or stupidity on the part of the recipient.
Technology can help reduce the number of such things that hit our
email Inbox, but it cannot stop people from acting upon those that do.
_____
Dennis
dmccunney
> Dennis,
>
> ]> Lots of email now are in HTML, which can easily embed links to unclean
> ]> URLs. These might get "displayed" like inline graphics--but your e-mail
>
> [...]
>
> ]<shrug> So? The biggest problems on that line are phishing emails,
> ]where the address displayed in the HTML email is not the one you will
> ]actually be sent to.
>
> <Shrug>? The problem is the needless "autoexec" behavior of some e-mail
> clients. I personally am averse to running anything on my computer that
> someone else can "control" with little more than a strangely crafted
> message to my email address.
I concur. I turned off that sort of stuff when I got mail via POP.
> By way of analogy, I'd rather disable a PC's ability to boot from a
> floppy than to upgrade the BIOS to detect whether it's booting from a
> legitimate boot floppy.
I'm unaware of any BIOS that tries to do that. How does it know what
bootable floppy is "legitimate"? I can turn off the ability to boot
from a floppy at all, but haven't found it necessary to do so.
> Also, I'd like to open the e-mail (if even to read it for entertainment
> purposes) without my mail client acting as a beacon for spammers,
> telling them that I've not only opened their message, but have reached
> out to every URL that it wanted me to touch.
>
> I'm not against filtering, though. Filter the heck out of your email
> stream, but don't allow your mail client to give the spammers any rope!
I concur again, and I don't.
One reason I like GMail is the effectiveness of the spam filters. If
not giving an email address, or giving a throwaway address if you do
to prevent getting spam is a tactic you practice, I don't bother.
Send all the spam you want. For the most part, I'll never see it. (I
see the odd spam that isn't get caught by the filters *once*. "Report
Spam" and I don't see it again.)
Another is the web interface, and the fact that HTML mail is rendered
in the GMail interface in the browser. I occasionally need to open a
link to page in another tab, because everything doesn't display
properly in GMail, but that's fine. Among other things, it means
potentially malicious code doesn't, either.
> -moy
_____
Dennis
Gary Welles
> I sometimes forward such things to abuse@<whoever>.com, just
> to make sure the targeted entity (usually a bank) is aware
> they are the target of a phish. (And this can be
> frustrating, as in the case of the financial institution
> that refused to accept email as a spam/malware defense,
> wouldn't *let* me forward the phish for inspection, and
> insisted I use a web based comment form to communicate.
US-CERT solicits phishing reports:
Report Phishing Sites
http://www.us-cert.gov/nav/report_phishing.html
and is probably the fastest way to alert those who need to
know.
-- Gary
Moy Wong
Wasn't I just talking about "autoexec"-inspired exploits?
Bluetooth is autoexec to the point of "automagic"--but the fun could end
soon with some exploit targeting yet another autoexec-enabled function.
Microsoft has issued a patch for a Bluetooth (!) vulnerability:
http://krebsonsecurity.com/2011/07/microsoft-fixes-scary-bluetooth-flaw-21-others/
-moy
]
]<Shrug>? The problem is the needless "autoexec" behavior of some e-mail
dmccunney
> Gents,
>
> Wasn't I just talking about "autoexec"-inspired exploits?
>
> Bluetooth is autoexec to the point of "automagic"--but the fun could end
> soon with some exploit targeting yet another autoexec-enabled function.
> Microsoft has issued a patch for a Bluetooth (!) vulnerability:
>
> http://krebsonsecurity.com/2011/07/microsoft-fixes-scary-bluetooth-flaw-21-others/
I'm glad they patched it, but this is another "How likely is it to
actually happen?" security hole. (I'm all in favor of patching any
hole, but how much I worry if it doesn't get patched depends on the
hole.)
> -moy
______
Dennis